SSL VPN Not Working Post ATP200/800 Firmware Upgrade

2

All Replies

  • NEP
    NEP Posts: 34
    First Comment Friend Collector
     Freshman Member
    edited August 17
    Can we turn on some other logging? At the moment the system log shows nothing. It doesn't even indicate an attempted connection.

    In my mind at least, the issue is definitely caused by something in the firmware update. Under Firmware Management we have "V5.31(ABFW.0)ITS-22WK31-r104914" loaded in 1 (Running). The SSL VPN does not work. If we click on "V5.30(ABFW.0)" in 2 (Standby) and click Reboot. After the reboot, the SSL VPN "magically" works. No changes whatsoever. In that short time, the Public IP on the client side wouldn't have changed, which means the IP isn't being blocked.
  • NEP
    NEP Posts: 34
    First Comment Friend Collector
     Freshman Member
    edited August 17
    We've done some more testing and the SSL VPN is working for some users. Well, one user but they have tested it at multiple locations (all Comcast supplied). Waiting for a couple more users to get back to me. Anyway, those who are affected (ie. can't use the VPN) are using Verizon's services. That is what I have and I've tried both my home internet and cellular hotspot. Neither work. Is it possible that some of the SSL VPN changes you mentioned prior (specifically MTU) could be unsupported by Verizon?

    Another user got back to me. They are have Blue Ridge Communications as the ISP and it does not work for them. In case it matters, we as a company are US East Coast based and Comcast is the ISP at our three sites.
  • NEP
    NEP Posts: 34
    First Comment Friend Collector
     Freshman Member
    So much for the Verizon theory, just had two more users confirm that they can't connect to the VPN. Both are using Comcast. One of them also confirmed that they can log into the login page, so they know their password and the SSL VPN connection info is good.

    User (MAC=-) from http/https has logged out Device
    User (MAC=-) from http/https has logged in Device
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 433
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    Hi @NEP

    After our discussion, currently, you decide to roll back to 5.30 firmware to keep the SSL VPN service stable. If you still need assistance in the future, please let us know. Thanks.
  • NEP
    NEP Posts: 34
    First Comment Friend Collector
     Freshman Member
    That is correct, we rolled back to v5.30 because we have users that need to use the VPN. Please do not take our rolling back as a solution. It certainly is not, as it will most likely happen again with the next firmware that is released (barring any changes). Something is not correct with the newer firmware, however, at this time we can no longer help with finding out what that is.
  • mMontana
    mMontana Posts: 975
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    Following, I don't want to stumble upon this issue in future.
  • NEP
    NEP Posts: 34
    First Comment Friend Collector
     Freshman Member
    Hello. Just installed v5.32 and we are still having the same issue. The SSL VPN won't connect. Same log errors as before. 5.30 works fine, 5.31 and 5.32 do not. I saw in the changelog that there was a MAC OS issue with SSL VPN and ports not being identical. Maybe we have something similar. In any case, I have left 5.32 running and will send @Zyxel_Jeff "limited_admin" credentials for our ATP. Hopefully this issue can be found and corrected. Thanks!
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 433
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    Hello @NEP

    We can access ATP800 remote Web-GUI now, could you add zyxel support user account to vpn_group user group for us? We would like to establish SSL VPN connection to the ATP800 for troubleshooting purposes. I already sent a private message to you. Thanks :) . 


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 433
    25 Answers First Comment Friend Collector Second Anniversary
     Master Member
    Hi @NEP

    We noticed the that root cause might be the limited-admin account. Using the limited-admin account cannot establish SSL VPN but if using a normal user account then can establish SSL VPN to your ATP800, as below:




    We confirm it's our current design.
    So, please use a user privilege account to establish SSL VPN connection with your ATP800.

    Besides, sometimes customers would make the mistake to use add an extra https into the SSL VPN server URL by accident or the wrong port number. That would lead to SSL VPN connection cannot be established as well.

Security Highlight